From e45db9d668c9a8639d22efff8bdde57f2675db3e Mon Sep 17 00:00:00 2001 From: Martchus Date: Sat, 30 Dec 2023 20:38:15 +0100 Subject: [PATCH] Fix certificate errors when Schannel TLS backend is used * Unify code paths for compiling expected SSL errors so in any case the expected errors are including the error types emitted by the Schannel backend * See https://github.com/Martchus/syncthingtray/issues/223 --- syncthingconnector/syncthingconnection.cpp | 7 ++-- .../syncthingconnectionsettings.cpp | 32 ++++++++++--------- .../syncthingconnectionsettings.h | 3 ++ 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/syncthingconnector/syncthingconnection.cpp b/syncthingconnector/syncthingconnection.cpp index f6a8023..01c126d 100644 --- a/syncthingconnector/syncthingconnection.cpp +++ b/syncthingconnector/syncthingconnection.cpp @@ -802,14 +802,11 @@ bool SyncthingConnection::loadSelfSignedCertificate(const QUrl &url) } // add exception const QList certs = QSslCertificate::fromPath(certPath); - if (certs.isEmpty()) { + if (certs.isEmpty() || certs.at(0).isNull()) { emit error(tr("Unable to load certificate used by Syncthing."), SyncthingErrorCategory::OverallConnection, QNetworkReply::NoError); return false; } - const QSslCertificate &cert = certs.at(0); - m_expectedSslErrors.reserve(4); - m_expectedSslErrors << QSslError(QSslError::UnableToGetLocalIssuerCertificate, cert) << QSslError(QSslError::UnableToVerifyFirstCertificate, cert) - << QSslError(QSslError::SelfSignedCertificate, cert) << QSslError(QSslError::HostNameMismatch, cert); + m_expectedSslErrors = SyncthingConnectionSettings::compileSslErrors(certs.at(0)); return true; } diff --git a/syncthingconnector/syncthingconnectionsettings.cpp b/syncthingconnector/syncthingconnectionsettings.cpp index 9cd4716..6c520c5 100644 --- a/syncthingconnector/syncthingconnectionsettings.cpp +++ b/syncthingconnector/syncthingconnectionsettings.cpp @@ -2,6 +2,20 @@ namespace Data { +QList SyncthingConnectionSettings::compileSslErrors(const QSslCertificate &trustedCert) +{ + // clang-format off + return QList{ + QSslError(QSslError::UnableToGetLocalIssuerCertificate, trustedCert), + QSslError(QSslError::UnableToVerifyFirstCertificate, trustedCert), + QSslError(QSslError::SelfSignedCertificate, trustedCert), + QSslError(QSslError::HostNameMismatch, trustedCert), + QSslError(QSslError::CertificateUntrusted, trustedCert), + QSslError(QSslError::CertificateRejected, trustedCert) + }; + // clang-format on +} + bool SyncthingConnectionSettings::loadHttpsCert() { expectedSslErrors.clear(); @@ -9,23 +23,11 @@ bool SyncthingConnectionSettings::loadHttpsCert() return true; } const auto certs(QSslCertificate::fromPath(httpsCertPath)); - if (certs.isEmpty()) { + if (certs.isEmpty() || certs.at(0).isNull()) { return false; } - const auto &cert(certs.front()); - if (cert.isNull()) { - return false; - } - // clang-format off - expectedSslErrors = { - QSslError(QSslError::UnableToGetLocalIssuerCertificate, cert), - QSslError(QSslError::UnableToVerifyFirstCertificate, cert), - QSslError(QSslError::SelfSignedCertificate, cert), - QSslError(QSslError::HostNameMismatch, cert), - QSslError(QSslError::CertificateUntrusted, cert), - QSslError(QSslError::CertificateRejected, cert) - }; - // clang-format on + + expectedSslErrors = compileSslErrors(certs.at(0)); return true; } } // namespace Data diff --git a/syncthingconnector/syncthingconnectionsettings.h b/syncthingconnector/syncthingconnectionsettings.h index 2e9bccc..80e1d28 100644 --- a/syncthingconnector/syncthingconnectionsettings.h +++ b/syncthingconnector/syncthingconnectionsettings.h @@ -10,6 +10,8 @@ #include #include +QT_FORWARD_DECLARE_CLASS(QSslCertificate) + namespace Data { /*! @@ -49,6 +51,7 @@ struct LIB_SYNCTHING_CONNECTOR_EXPORT SyncthingConnectionSettings { QList expectedSslErrors; SyncthingStatusComputionFlags statusComputionFlags = SyncthingStatusComputionFlags::Default; bool autoConnect = false; + static QList compileSslErrors(const QSslCertificate &trustedCert); bool loadHttpsCert(); static constexpr int defaultTrafficPollInterval = 5000;